Observer-Based State-Feedback Control of Timed Petri ... - IEEE Xplore

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 1, JANUARY 2004

17

Observer-Based State-Feedback Control of Timed Petri Nets With Deadlock Recovery Alessandro Giua, Member, IEEE, Carla Seatzu, and Francesco Basile, Member, IEEE

Abstract—This paper discusses the problem of controlling a timed Petri net whose marking cannot be measured but is estimated using an observer. The control objective is that of enforcing a set of generalized mutual exclusion constraints (GMEC) and all transitions are assumed to be controllable. We show that the use of marking estimates may significantly reduce the performance of the closed-loop system and in particular may lead to a deadlock. First, we present a linear algebraic characterization of deadlock markings based on siphon analysis. Second, we show how this characterization may be used to derive a procedure that may be invoked to recover from a controller induced deadlock. Finally, we assume that the timing delays associated to transitions are known and show how this knowledge can be used to improve the marking estimate and to recover the net from partial deadlocks. This procedure is similar to the one used for deadlock recovery and may be invoked whenever a transition has not fired for a time longer than its expected delay. Index Terms—Deadlock recovery, observers, Petri nets, timed discrete-event systems.

I. INTRODUCTION

I

N THIS paper, we deal with the issue of controlling a Petri net whose marking cannot be measured. The problem of controlling a discrete event system under incomplete information has often been discussed in the literature. As an example, the use of state-feedback control under partial state observation has been discussed by Li and Wonham [9], [10] and by Takai et al. [19]. In the work of these authors the partial observation is due to a static mask, that maps the plant state space into an observation space. In the Petri nets framework we also mention the work of Zhang and Holloway [21] that used a Controlled Petri Net model for forbidden state avoidance under partial event observation with the assumption that the initial marking be known. Moody and Antsaklis have also discussed the controller design of monitor places for nets with uncontrollable and unobservable transitions [12]. The approach we develop in this paper is based on the classical system theory notion of a state-feedback controller that uses an observer to estimate the plant state. In previous works [7] we have shown how it is possible to estimate the actual marking of the net based on the observation of a word of events (i.e., transition firings) and an algorithm was given for computing the

Manuscript received September 16, 2002; revised July 30, 2003. Recommended by Associate Editor R. S. Sreenivas. A. Giua and C. Seatzu are with the Dipartimento di Ingenieria Elettrica ed Elettronica, Università di Cagliari, Cagliari 09123, Italy (e-mail: [email protected]; [email protected]). F. Basile is with the Dipartimento di Ingenieria dell’Informazione e Ingeneria Elettrica, Università di Salerno, Salerno 84084, Italy (e-mail: [email protected]). Digital Object Identifier 10.1109/TAC.2003.821419

marking estimate. The estimate is always a lower bound of the actual marking. The system that computes the estimate is called an observer. The special structure of Petri nets allows us to use a simple linear algebraic formalism for estimate computation. In of markings consistent with an observed particular, the set word , i.e., the set of markings in which the system may actually be given the observed word, can easily be described in terms of the observer estimate and can be characterized as the integer solutions of a linear constraint set. Other approaches to the design of Petri net observers can also be found in [16]. In [7] we have also shown how the estimate generated by the observer may be used to design a state feedback controller, that ensures that the controlled system never enters a set of forbidden states. We considered a special class of safety specifications that limit the weighted sum of markings in subsets of places called generalized mutual exclusion constraints (GMEC). Clearly, the use of marking estimates, as opposed to the exact knowledge of the actual marking of the plant, leads to a worse performance of the closed-loop system. In fact, in a safety problem the aim of the controller is that of preventing all those transition firings that lead to a forbidden marking. If the actual marking is not exactly known, but is only known to belong to a given consistent set , the controller must forbid all transition firings that from ”any” marking in may lead to a forbidden marking and the controller becomes usually more restrictive as the cardinality of this set increases. Because of this it may be the case that the controlled system reaches a deadlock, i.e., a blocking condition, even if it is deadlock free when perfect information about the marking is available. We first show that, using siphon analysis, the set of deadlock of a structurally bounded net can be characterized markings as the integer solution of a linear constraint set. Siphon analysis has been already used by several authors to derive deadlock avoidance policies: see [1], [4], [5], [14]. The approach we present here is different from the aforementioned approaches in two ways. First, our approach only aims to give a characterization of deadlock markings. On the contrary, the referenced approaches aim to solve a more complex problem, namely that of deriving a deadlock avoidance policy: to do this it necessary to also characterize impending deadlock markings, i.e., markings that are not dead but that will lead to a deadlock in a finite number of steps. Second, since we solve a less complex problem we are able to derive a simpler (in terms of number of constraints and number of unknowns) characterization that applies to a large class of nets (ordinary and structurally bounded), while the referenced approaches are only valid for restricted classes of nets. Then, we focus our attention to timed Petri nets, i.e., Petri nets where a delay is associated to each transition. The delay

0018-9286/04$20.00 © 2004 IEEE

18

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 1, JANUARY 2004

represents the time that must elapse from the enabling of the transition until it fires. We initially assume that a very loose information on the timing structure is available. More precisely, we assume that if no transition firing occurs within a reasonable amount of time in a controlled system—we say that the net has timed out—one can conclude that a deadlock has occurred and a recovery procedure should be invoked. The characterization based on siphon analysis may be used to derive a recovery procedure from deadlocks induced by the observer. We also explore the characterization of those cases in which the proposed procedure works. More precisely, we consider a particular class of macromarkings and derive a sufficient condition to ensure that the controlled net will never time out. We also give a sufficient condition to ensure that, in the case that a time-out occurs, the proposed procedure will always recover the net from a deadlock. Finally, we show how the linear algebraic characterization of deadlock markings may also be used to improve the marking estimate, thus providing a better characterization of the set of consistent markings. In a final part of the paper, we consider the case in which the timing structure is known and propose a new control algorithm that uses the previous marking estimate and control approach, but that also takes into account the knowledge of the delays and of the enabling status of each transition. This algorithm should be invoked whenever a transition has not fired for a time larger than its expected delay, i.e., when a transition has timed out. Thus it not only allows the supervisor to recover from total deadlocks (as in the previous case) but it allows one to detect partial deadlocks as well, and in general it improves and accelerates the convergence of the marking estimation procedure. We also show how the observer can use this information to restrict the set of consistent markings. II. BACKGROUND ON PETRI NETS In this section we recall the formalism used in the paper. For more details on Petri nets we address to [13]. A Place/Transition net (P/T net) is a structure , where is a set of places; is a set of transitions; and are the pre- and postincidence functions that specify the arcs; is the incidence matrix. The preset and are denoted and while postset of a node . A marking is a vector that assigns to each place of a net a nonnegative integer number of tokens, the represented by black dots. In the following we denote system or net system is a marking of place . A . net with an initial marking A transition is marking enabled at if . In this paper we also assume that a supervisor, i.e., an external control agent, may forbid the occurrence of a transition specifying a marking dependent control pattern such that if is control enabled if is control disabled.

if it is marking enabled and conA transition is enabled at may fire, yielding the trol enabled. A transition enabled at . marking to denote that the enabled sequence of We write yielding , or equivalently we use transitions may fire at and . Moreover, we the notation denote . Finally, we denote the sequence of null is denoted length. The set of all sequences firable in (this is also called the prefix-closed free language of , we also say the net). If the firing sequence is enabled at that is a word in . is reachable in iff there exists a firing A marking . The set of all markings reachsequence such that able from defines the reachability set of and is de. noted such that A nonnegative integer vector is called a P-invariant (here denotes a vector of zeros). A P-invariant is minimal if there does not exist a P-invariant such that . , A transition is said to be live if for any there exists a sequence of transitions firable from which contains . A Petri net is said to be live if all transitions are live. A marking is a deadlock (or dead) marking if no transition may fire at . A Petri net is said to be deadlock-free if at least one transition is enabled at every reachable marking. A place is said to be bounded if there exists a constant such that for all . A net system is bounded if all places are bounded. A net is structurally bounded if it is bounded for all initial markings. A P/T net is called ordinary when all of its arc weights are 1’s. A siphon of an ordinary net is a nonempty set of places such that: . A siphon is minimal if it is not the superset of any other siphon. In the following we denote as the characteristic vector of , where if place and otherwise. Definition 1: Given a net , and a of its transitions, we define the induced subset as the new net where subnet of are the restriction of to . The net can also be thought as obtained from by removing all transi. We also write . tions in A deterministic timed P/T net is a pair , where is a standard P/T net, and , called release delay, assigns a nonnegative fixed firing duration to each transition. A transition with a release delay equal to 0 represents the time is said to be immediate. The value of that must elapse, starting from the time at which the transition is enabled, until it fires. We use single server-semantics, i.e., no concurrent firings of the same transition are possible. III. MARKING ESTIMATION WITH MACROMARKINGS In previous works [7] the authors dealt with the problem of reconstructing the marking of a P/T net assuming that partial information about the initial marking is available in the form of a macromarking. Definition 2 ([7]): Assume that the set of places can be subsets: such written as the union of

GIUA et al.: OBSERVER-BASED STATE-FEEDBACK CONTROL

19

that , for all . The number of tokens contained is known to be , while the number of tokens in in is unknown. For each , let be its characteristic vector, i.e., if , else . The macromarking defined by and is the set of . markings The notion of macromarking occurs frequently when describing systems containing a known set of resources (e.g., parts, machines) whose actual conditions (e.g., exact location of parts within the plant, state of a machine) is unknown. We make the following assumptions. is A1) The structure of the net is not. known, while the initial marking A2) The event occurrences (i.e., the transition firings) can be observed. belongs to the macromarking A3) The initial marking , i.e., it satisfies the equation . We also introduce the following notation. Definition 3 ([7]): After the word has been observed we define the set of -consistent markings as the set of all markings in which the system may be given the observed behavior and the initial marking, i.e., the set . Given an evolution of the net , we use the of each actual following algorithm to compute the estimate based on the observation of the word of events marking , and of the knowledge of the initial macromarking . The same algorithm also enables us to com, depending on the word and on the initial pute the bound , used to characterize the set of consistent macromarking . markings Algorithm 4 [7] (Marking Estimation With Event Observation and Initial Macromarking). 1) 1) . 2) 3) 4)

. .

. 5) . . 6) . 7) In simple words, if the currently observed word is and transition fires, the algorithm firstly updates the current estimate to adding the minimal number of tokens required from as the marking to enable . Second, the algorithm computes firing . obtained from The set of consistent markings can be characterized in terms of the estimate and bound 1 as follows. Theorem 5 ([7]): Given a net with initial macromarking , an observed word , and the corre1To avoid a heavy notation, we will drop the subscript w from  and B whenever it is possible without introducing ambiguity.

Fig. 1.

State feedback control loop with observer.

sponding estimated marking and bound computed by Algorithm 4 , the set of -consistent markings coincides with consistent markings, i.e., the set of

(1) IV. CONTROL USING OBSERVERS In this section we show how the marking estimate constructed with the formalism discussed in Section III can be used by a control agent to enforce a given specification on the plant behavior. We make several assumptions that are briefly discussed here. • We assume that the specification on the desired behavior is given as a set of legal markings . The use of marking (i.e., state) specifications leads naturally to the design of a state feedback control law [8] that may be easily adapted to the presence of an observer in the feedback loop. • We consider a special type of state specifications called generalized mutual exclusion constraints (GMEC) that have been considered by various authors [6], [11], [20]. with Given an integer matrix and a vector with , a GMEC defines the set of legal markings . • The controller may disable transitions to prevent the plant from entering a forbidden marking, computing a marking . dependent control pattern then is disabled by the controller at , If it is enabled. while if • All transitions are controllable, i.e., can be disabled by the controller. The considered control scheme is shown in Fig. 1. It is well known that under the assumption that: the initial is legal, all transitions are controllable, and the acmarking tual marking is known, an optimal (i.e., maximally permissive) control policy that enforces a given state specification is as follows. Definition 6 (Optimal State Feedback for GMEC): Given a and a marking , the firing of transition should GMEC if and only if leads from a legal to a forbe prevented from bidden marking, i.e., if otherwise. When an observer is used in the control loop, the actual marking is not known and only the set of consistent mark-

20

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 1, JANUARY 2004

ings is available to the controller. The control law and can now becomes a function be given as follows. Definition 7 (Optimal State Feedback for GMEC With Oband a set of consistent markserver): Given a GMEC , the firing of transition should be prevented if ings such that and only if there exists a legal consistent marking the firing of from leads to a forbidden marking, i.e., see the equation at the bottom of the page. The computation of the control pattern may be carried out solving a number of linear integer programming problems (IPP) as given in the following algorithm. Algorithm 8 (Computation of the Optimal State Feedback With Observer). The control law in Definition 7 can be computed as follows. 1)

. 2)

Fig. 2.

Petri net model of the assembly system.

and . Thus the result follows from respectively, the definition of given in (3). A trivial consequence of this proposition is the following. If is perfectly known the set of consistent the actual marking . If the actual marking can only be esmarkings is timated by an observer, then the set of consistent markings is . This means that the control pattern computed using an observer may be more restrictive than the optimal state feedback computed when the actual marking is known. As shown in the following example this may often lead to a block. A. A Manufacturing Example

(a) (b) (c) (d) (e)

(2)

.

and let 3) if otherwise.

(3)

Thus a transition is disabled only if it may fire (constraint (c)) and there exists a consistent marking (constraint (a)) that is legal (constraint (b)) and from which the firing of leads to a (constraint (d)) that is not legal because for at least marking . Note that, as a consequence one it holds of (1), constraint (a) is linear with respect to . Finally, we state an elementary proposition that will be used in the following. be two sets of consistent markProposition 9: Let and . Then is at least as permissive ings, with as i.e., for all it holds . We . denote this writing implies Proof: For all and for all , , where and denote the solutions of (2) with,

if otherwise.

Now, let us apply the above methodology to a manufacturing system whose Petri net model is shown in Fig. 2. This assembly system, that is similar to the one described in , , , and [15], consists of five machines, whose operational process is modeled by the firing of transitions , , , and , respectively. Two principal types of operations are involved in this manufacturing system: regular operations and assembly operations. Regular operations (modand ) just transform a component eled by transitions , of the intermediate product. Assembly operations (modeled by transitions and ) put components together to obtain a more complex component of a final product or the final product itself. Note that this model uses transitions ( and ) which do not represent operations but the beginning of the manufacturing of components which are required to assemble a more complex component or the final product. In this example there are two , leads manufacturing levels, the primary one, performed by , leads to to finite product, the secondary one, performed by semi-finished (in-working) product. The markings of places and represent the number of assembly servers for and respectively. The marking of places , , and represent the availability of parts to be processed and (raw materials), while the marking of places , , represent the availability of semi-finished products. Places and ensure that machines and work alternatively. The Petri net model in Fig. 2 is a strongly connected event and . There exist graph with ten elementary circuits, that correspond to an equal number of

GIUA et al.: OBSERVER-BASED STATE-FEEDBACK CONTROL

21

P-invariants. If we assume that the initial marking of the net is , we have (here to avoid a heavy the marking of place ) notation we denote as (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)

(4) Fig. 3. Evolution of the net in Fig. 2 when no deadlock recovery procedure is applied.

least one place

We assume that the above set of P-invariants coincides with the . macromarking, thus Moreover, we assume that the controller must enforce two specifications: (a) (b)

(5)

The first specification requires that at most 3 raw parts may be simultaneously waiting to be processed by either machine or . The second specification requires that at most 3 raw parts may be waiting to be processed by machine . Finally, we assume that the delay times associated to transitions are those shown in Fig. 2. If the marking of the net is measurable, then the controlled net is live, as it can be verified by reachability analysis. On the contrary, if the marking of the plant is not measurable, an observer must be used in the control loop and this leads to an observer-induced deadlock. The closed loop behavior is that shown in Fig. 3 and where for each where each node is labeled with of transitions dismarking the set denotes abled by the controller is shown. Finally, variable the actual value of time. has fired, only transition After the sequence is marking enabled. Nevertheless, the controller prevents its firing because there exists at least one marking in from which the firing of would potentially violate specification (b). Note that the controller also prevents the firing of because its firing would potentially violate specification (a). V. A LINEAR CHARACTERIZATION OF DEADLOCK MARKINGS In this section we present a linear algebraic characterization of deadlock markings based on siphon analysis that will be used in Section VI to derive a procedure for deadlock recovery. Such a characterization is valid for ordinary and structurally bounded Petri nets. Siphon based techniques for deadlock analysis and avoidance have also been used by other authors [1], [4], [5], [14]. We first observe that, by definition, the characteristic vector of a siphon is such that: (6) Condition (6) means that if and inputs in (i.e.,

belongs to a siphon (i.e., ) ), then there must exist at

in the siphon (i.e., ) inputting in (i.e., ). Condition (6) can also be rewritten as a nonlinear inequality: (7)

is a vector whose th component is 1 (respecwhere ) if the th component of is positive (respectively, tively, 0, null, negative). Since the above inequality holds for all , we can write (8) We can finally state the following result. is a siphon of the net Lemma 10: A set of places if and only if its characteristic vector is such that (9) . where Proof: We observe that . Thus a vector is a solution of (9) if and only if it is a solution of (8). Second, let be a generic marking of . If corresponds to a reachable marking of the net such that the siphon with characteristic vector is empty, then (10) For structurally bounded Petri nets, (10) can be easily converted into a linear equivalent equation. Lemma 11: Given a structurally bounded net , a siphon with characteristic vector is empty at marking if and only if (11) is a positive integer. More precisely, should be where chosen greater or equal to the maximum structural bound of , [18], where structural bounds can be determined by for using any LP software. Proof: Equation (11) implies that if for a given , (i.e., place does not belong to the siphon) then no constraint is exists on the marking of , since the equation satisfied for all reachable markings. On the contrary, if (i.e., place belongs to the siphon) then must be empty.

22

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 1, JANUARY 2004

An analogous linear characterization of siphons has been already proposed by Chu and Xie in [4]. Thirdly and finally, to completely characterize the set of deadlock markings we use the following results that apply to autonomous, i.e., uncontrolled, nets. Lemma 12 ([17]): Let be an ordinary marked net. If is a dead marking then the set of empty places is an unmarked siphon of . We restate the previous result in a slightly different form. be an ordinary marked net. A marking Lemma 13: Let is a dead marking iff the two statements hold: is an unmarked siphon of ; i) . ii) Proof: (if) It immediately follows from (ii) and the definition of enabled transitions. Condition (i) and (ii) together imply that every transition has at least one empty input place, thus no transition is enabled. (only if) Condition (i) follows from Lemma 12 while condition (ii) follows from the fact that dead transitions must have in at least an empty input place, that by definition belongs to . On the basis of the above lemmas, we can finally state the main result. Theorem 14: Given a structurally bounded net with places, a marking is a deadlock marking if and only if there exists a vector such that the following set of linear equations is satisfied: (a) (b) (c) (d) (e) (f)

ities in

plus additional ones. This proves the statement.

VI. RECOVERY AND ESTIMATE UPDATE AFTER NET TIME-OUT Let us suppose that, although we have no exact information on the timing structure of the net, we can be sure that the net is blocked if a sufficiently long time has elapsed without observing any event occurrence. Such is the case if we know that all transi, . If a time greater tion delays are such that elapses without observing any firing, we say that the than net has timed out. Proposition 16: Assume that the net controlled with the control pattern has timed out. Let us as the subset of condefine taining the transitions enabled by the controller, and let be the -induced subnet of . Then the actual (unknown) marking of the controlled net is a deadlock marking for . the uncontrolled net , i.e., it belongs to Proof: The transitions blocked from the controller can be without changing its behavior. The removed from the net resulting net is an autonomous net for which the results of Lemma 13 and Theorem 14 apply. We now propose an automatic approach that tries to exploit the information that the net has timed out to recover from this blocking condition and improve the estimate. Of course this procedure may be effective only if the deadlock has been caused by the incomplete information about the actual marking originated by the presence of the observer in the closed loop. A. Deadlock Recovery

(12)

Proof: A marking is dead if and only if there exists a as defined in Lemma 13. siphon The characteristic vector must satisfy (a) by Lemma 10 and (b) by Lemma 11 . Furthermore, by definition of , if a place is empty at marking then it must belong to the siphon, and this is imposed by (c). Finally, (d) states that for any transition there exists at least one input place that is empty at , and that consequently belongs to siphon . By virtue of the linear characterization above, we define the set of blocking markings of net as:

The deadlock recovery procedure we propose consists in recomputing the control pattern using a new IPP that adds to the constraints in (2) some additional constraint to capture the fact that the actual (unknown) marking belongs to for defined in Proposition 16 . the net

Algorithm 17 (Control Pattern Updating After Net Time-out) , controlled Given a net and be the using an observer, let current value of estimate and bound, and . Assume that the comdefine has led the puted control pattern net to a time-out. We can update the control pattern using the following procedure. 1) (13)

Finally, we present a technical result that will be used in the following. , and a Proposition 15: Given a net , let be the induced subset of transitions subnet of . Then , or equivalently . and . Then it is Proof: Let us define are each easy to see that constraints (12).a and (12).d in composed by inequalities, i.e., the corresponding inequal-

2)

. 3)

(14)

GIUA et al.: OBSERVER-BASED STATE-FEEDBACK CONTROL

23

Proof: First note that for all observed words , , whenever is a matrix of P-invariants. In fact, by Algorithm 4, each time a new transition fires we have

4) 5) a) b)

Note that the operator defined by (14) is defined using . is a function of because In this algorithm the knowledge that a time-out has occurred is used to restrict the set of consistent markings and construct a new control pattern (step 3) that, as the next proposition shows, is at least as permissive as the previous one. If the new control pattern is still blocking and a new time-out occurs the procedure is repeated until either the net recovers from deadlock, or until we cannot update the control pattern any more and the procedure fails. We now present some elementary results concerning this algorithm. Proposition 18: Algorithm 17 has the following properties: • for all , the updated control pattern computed at step 3 is ; at least as permissive as the previous one, i.e., • the algorithm terminates in a finite number of steps; , the final • if the algorithm terminates at step 4 with control pattern is a fixed point of the operator . Proof: The first statement can be proved by induction. In fact we observe (base step) that, by Proposition 9, implies . Assume now that for a given : we prove (induction step) that the same inequality also holds . In fact, implies . Thus for by Lemma 15 and this implies, by Proposition 9, that

The second statement follows from the fact that each time the loop in the algorithm is repeated, either (and in this case the algorithm terminates), or, by the previous statement, and eventually the maximally permissive control that enables all transitions is reached in a number of steps less or . equal to The third statement follows trivially from the fact that if the . algorithm terminates at step 4, then B. A Sufficient Condition for Deadlock Freedom It is important to characterize those cases in which the procedure outlined in Algorithm 17 is able to recover from a net time-out. Here we consider a particular class of macromarkings, such that the vectors are -invariants. In this case, it is possible to show that the set of consistent markings at each step is a subset of the initial macromarking. be Proposition 19: Let the initial macromarking , i.e., each column of is a P-invariant. such that Then, for all observed words , .

. Furthermore, tially, thus for all observed words , the set of markings is

, while ini, —consistent , .

We use the previous result to give a sufficient condition to ensure that the controlled net will never time out. with initial macromarking Theorem 20: Consider a net such that , and controlled using Algorithm 8 be the set of transitions . Let be the enabled by the initial control pattern and let induced subnet of . Then the closed loop system will never reach a blocking state, i.e., the net will never time out, if the following constraint set (15) is not admissible, i.e., if it does not admit any solution for . Proof: First note that when the net is initialized, the set of consistent markings coincides with the initial macromarking, . If the i.e., constraint set (15) does not admit a feasible solution, the net is applied, is never blocked when the control pattern . regardless of the initial marking has been observed, the set of consisAfter a word tent marking is (by Proposition 19) while , being a mathe actual marking still belongs to trix of P-invariants. Thus by Proposition 9 it holds that , and regardless of the current marking the controlled net is not blocked. We finally extend the previous result, giving a sufficient condition to ensure that, even if a time-out may occur, Algorithm 17 will always successfully recover the net from a deadlock. Consider a net with set of consistent markings . Assume that Algorithm 17 is invoked but at step 5 we always execute step : this is 5.b, until the algorithm stops at step 4 with the maximally permissive control pattern that could be applied if the net always times out when the set of consistent markings is . A formal definition is the following. Definition 21: Given a net controlled with an observer, the and a set of consistent states , let us define for . initial control vector and let The maximal control pattern associated to is , i.e., it is the fixed point of reached iterating from . Note that by Proposition 18 part 2, this fixed point is reached in a finite number of steps (less or equal to the cardinality of the set of transitions ). Theorem 22: Consider a net with initial macromarking such that , and controlled with Algorithm 8. be the set of Let transitions enabled by the maximal control pattern associated

24

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 1, JANUARY 2004

to the initial consistent set , as defined in the be the -induced previous proposition. Let subnet of . 1) If a net time-out occurs and the procedure given in Algorithm 17 is applied, the net will always recover from a deadlock if the following constraint set

(16) . does not admit any admissible solution for and the controlled net times-out, Algorithm 2) If 17 will recover from the deadlock if and only if the current is not a deadlock marking for the open loop marking net. Proof: 1) Firstly, observe that if the constraint set (16) does not admit a feasible solution, the time-out procedure is always capable of recovering from an initial deadlock, bewill cause eventually the control pattern be reached and there exists at least an enabled transition . regardless of the initial unknown marking Second, observe that by induction on the iteration step in imAlgorithm 17 , it is immediate to show that . Finally, as in the proof plies of Theorem 20, the result follows from the fact that after a word has been observed, the set of consistent mark(by Proposition 19 ) while the actual ings is , being a matrix of P-inmarking still belongs to variants. , then enables all transitions. Assume 2) If that the deadlock recovery procedure fails: eventually the is reached and the controlled net cocontrol pattern incides with the open loop net. The second part of the theorem is useful to recognize those cases where no block may be ascribed to the controller-observer: in this case, in fact, the time-out procedure will eventually control enable all transitions. Such a case is discussed in Section VI-D. C. Improving the Marking Estimate In this subsection, we discuss the possibility of using the linear algebraic characterization above not only to recover from a block, but to improve the marking estimate as well. Assume that given an observed word , a current estimate and bound , a blocking condition occurs, and that after iterations of Algorithm 17 a newly enabled transition fires. At this point, before the firing of , the set of consistent markings , using the notation defined in Secis tion VI-B. This set corresponds to the dark area in Fig. 4. We should keep this information when computing the new set after the firing of . Nevertheless, of consistent markings this would destroy the framework that inspired Algorithm 4 , in the sense that the set of consistent markings would loose the structure given in (1).

M

Fig. 4. Generic inclusion relationship among sets (N ). and

M  ;B M  ;B (

),

(

),

Thus, we propose the following alternative solution. For each we solve an IPP of the form: place

(17)

where is the solution Now, we define be the correof the th IPP and let as new current values of the sponding bound. We use and estimate and bound , and continue from step 5 of Algo. rithm 4 , computing the updated estimate This is equivalent to approximate the set of -consistent markings after recovery, with the set

(18) This set is also shown in Fig. 4: being we may be losing information, but nevertheless we can keep on with a linear algebraic characterization of the set of consistent markings in the simple form specified by (1). D. Numerical Example Let us consider again the manufacturing system in Section IV-A, where the use of an observer may lead the closed loop system to a blocking condition. In this subsection we show how the above deadlock recovery procedure may be efficiently applied to the net in Fig. 2. Here we assume that although the exact timing structure of the net is unknown to the controller, an upper bound on the transition is known. firing delay In Fig. 5 the top five nodes repeat the net evolution shown in Fig. 3. As already seen in Section IV-A a blocking condition is at time reached after the firing of the sequence . When a time has elapsed the net times out and we apply Algorithm 17 to update the control pattern. In particular, we have that the set of transitions enabled by the , while after the initial control pattern is time-out procedure all , i.e., all transitions are control enabled. The marking estimate is updated as shown in Fig. 5

GIUA et al.: OBSERVER-BASED STATE-FEEDBACK CONTROL

25

A. Proposed Algorithm

Fig. 5. Evolution of the net in Fig. 2 under control when the deadlock recovery procedure proposed in Section VI-A is applied.

where the thick arrow has been used to denote that the net has timed out. When 20 more units of time have elapsed, at time , another blocking condition is reached. Thus the net and we apply again Algotimes out at time rithm 17 . The set of transitions enabled by the controller is now . In such a case the marking is completely reconstructed as shown in Fig. 5, and the net recovers from deadlock. Finally, let us observe that the initial macromarking consid, thus the assumptions of Theorems ered is such that 20 and 22 are fulfilled. Therefore, for this net IPP (15) admits feasible solutions and this is in accordance with the fact that the net has timed out. Moreover, if we compute the maximal control pattern as de, fined in Definition 21 , we find out that according to the notation of Theorem that implies 22 . Now, if we consider the set , we find out that it does not admit any admissible so. By Theorem 22 this implies that if a net lution for time-out occurs and we apply the procedure given in Algorithm 17 , then the net will always recover from deadlock. VII. USING TIMING INFORMATION FOR STATE ESTIMATION We now propose a general approach to incorporate available information on the timing structure of the net into the state estimation process. The approach has been firstly proposed by the authors in [3] and is essentially based on the linear algebraic characterization of deadlock markings given by the system of inequalities (12). In particular, the above linear characterization is used to restrict the set of -consistent markings.

is asLet us assume that a known delay sociated to each transition; represents the time that must elapse, starting from the time at which the transition is enabled, until it fires. Assume that we start observing the net at time and that transition is control enabled during the time interval . Moreover, assume that the marking of the input . places of does not increase during the time interval transition does not fire, we can be If at time sure that the actual marking is such that , or equivalently is not marking enabled: we say that has timed out . Note that if the marking of some places in has at time , we can only conincreased during the time interval clude that the transition was not marking enabled at time , but no conclusion can be drawn on the marking enabling condition . of at time . The set of timed out transitions is denoted The procedure that we describe in Algorithm 23 combines the marking estimation algorithm with the deadlock recovery procedure defined in Section VI. It considers two types of events that modify the marking estimate. • The first type of events occurs when the firing of a transition is detected. In this case the marking estimate and bound are updated following Algorithm 4. In this step the set of timed out transitions may eventually be updated, removing from this set all those transitions such , i.e., those transitions that may have been that enabled by the firing of . • The second type of events occurs when a new transition times out. In this case the set of timed out transitions is increased and we know that the actual marking must be is deadlocked, where is such that the net the subnet of induced by the set of the timed out transitions. We use this information to compute a new control pattern at least as permissive as the current one. We also update and solving for each place an IPP of the form given by (17). Algorithm 23 (Control and Estimate Updating After Transition Time-out) repIn this algorithm the variable resents the current value of the time. At each instant of time it is possible to into partition the set of transitions three subsets: is the set of transitions that are not control enabled given the current set of consistent markings. is the set of control enabled transitions that have timed out. A tranbelongs to this set if during sition has the time interval continuously been control enabled and the marking of all its input places has not increased during this same interval.

26

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 1, JANUARY 2004

is the set of those control enabled . transitions that do not belong to These are the steps of the algorithm. 1)

8)

a) b)

. .

c)

2) . d)

3) . 4)

:

5) 6)

(19)

a) b)

--

.

e) .

7) f)

. a)

-

.

,

b) . c) .

B. Numerical Example

d)

e)

i) ii)

iii)

. f)

Let us consider again the manufacturing system in Section IV-A and let us apply Algorithm 23 to compute the closed loop behavior of the net system in Fig. 2. The resulting evolution is represented in the reachability graph in Fig. 6 where the thick arrow now denotes a time-out and is labeled by . the corresponding set At step 1 we define the initial estimate and bound. At step 2 the control pattern we compute for all transitions and set , and . In fact, the firing of may potentially violate specification (b), while the firing of may potentially violate specification (a). Then, we set up the clock value of each transition in to its time delay. Given the actual delays, the time-out to wait before either applying the observer update procedure or the deadlock recovery . procedure, is At time , no transition fires and times out. Thus the time-out procedure is activated (step 8). This first implies to . Then, we define the net the updating of obtained from removing all transitions not in . For all we compute the new control pattern according to step 8.c and we update the transition partitioning. In particular, we find out that both and are still disabled by the controller, , while . Now, by solving thus IPP we compute the new marking estimate and bound

GIUA et al.: OBSERVER-BASED STATE-FEEDBACK CONTROL

27

C. Linear Relaxation of Integer Programming

Fig. 6. Evolution of the net in Fig. 2 under control when the deadlock recovery procedure using timing information is applied.

and go back to step 4 of the algorithm. In such a case, we find out that the updated marking estimate and bound are coincident with the previous ones. We compute the new value and, as in . the previous step, it holds that At time , when one more time unit has elapsed, both conditions 6.a and 6.b are simultaneously satisfied because fires and times out. Condition 6.a takes priority and transition fires. The observer update procedure is applied. We update the estimate and bound as shown in Fig. 6, while the control pattern . Note that the firing of keeps the same for all transitions increases the token content of place that is an input place for : thus is removed from the set at step 7.d. We compute because is ready to the new value and it holds that time out. Then, always at time , the time-out procedure is activated for . This enables us to improve the marking estimate as shown in Fig. 6 and also to make transition control enabled. , after the TTO procedure has More precisely, at time been applied, it holds that , and . Once again, at step 4, we find out that . At time , after one more time unit has elapsed, no transition fires. Therefore, the time-out procedure is invoked , and so on. with As it can be seen in Fig. 6, at the end of this evolution path, at time , the marking is completely reconstructed and no further deadlock may occur. To conclude we may observe that when Algorithm 23 is applied, the closed loop net recovers from the deadlock after 14 time units. On the contrary, when we apply the procedure presented in Section VI, that is invoked only when the net has timed out, the net recovers from the deadlock after more that 43 units of time.

A drawback of the proposed procedure is that it requires to solve at each step an integer programming problem to compute the control pattern: in some cases this may hinder the implementation of the approach on on-line controllers. This problem may be partially solved by simply relaxing the integer programming problems we consider into linear ones. are reAssume that in IPP (2) the constraints laxed into . This yields a larger set of consis, i.e., we have a relaxed observer tent markings (R-observer) that is possibly less accurate than the previously defined observer. By Proposition 9 , the control pattern computed using the R-observer is possibly suboptimal, in the sense that it is less permissive than or at most as permissive as the one computed using the observer. Note, however, that the control pattern computed using the R-observer is certainly safe, i.e., it ensures that the control specifications are never violated. and Similarly, if in IPP (12) the constraints are relaxed into and , this yields a larger set of deadlock markings. In this case the recovery procedures of Algorithm 17 and Algorithm 23 can still be applied but the computed control patterns are, again, possibly suboptimal. Thus, whenever necessary the control designer may take advantage of the linear relaxation trade-off that allows one to obtain a possibly suboptimal but computationally efficient solution technique. As a final remark, it may also be possible to combine these techniques using linear programming for the on-line computation of the control patterns, and using integer programming only when applying the net time-out procedure. As an example, in the case of the Petri net system already considered in Sections IV-A, VI-D and VII-B, one may verify that the on-line computation of the control patterns using the linear relaxation of IPP (2) always yield optimal solutions. However, when a net time-out occurs, the linear relaxation is not optimal: the maximal permissive control pattern computed using and because of the linear relaxation of IPP (12) disables this the deadlock recovery procedure may not work. D. Properties of the Algorithm With Transition Time-out The knowledge of the timing structure of a net leads to the possibility of using Algorithm 23 for marking estimate and control. In the following we will call this procedure TTO (transition time-out). Next example shows that the TTO procedure may be able to recover from partial deadlocks: in such a case the NTO procedure (i.e., Algorithm 17 ) is useless because it is never invoked. Example 24: Let us consider the net system in Fig. 7 with places and transitions. There exist 3 circuits, each one corresponding to a P-invariant. If the initial marking is that ; shown in Fig. 7 we have: . Moreover, we assume . that the controller must enforce one specification: Let us first consider the case in which no information on the timing structure is available. In such a case the net never times

28

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 1, JANUARY 2004

Fig. 7. Example showing how the knowledge of the timing structure may be used to solve partial deadlocks. Fig. 9. Example showing that the TTO procedure may fail to recover from a marking induced deadlock.

Now, let us assume that is controlled using Algorithm be the series of control patterns 23 and let computed by repeatedly iterating on step 8. To prove the statement of the theorem, we have to demonstrate that for all (20)

Fig. 8. Behavior of the controlled net in Fig. 7. (a) No information on the timing structure is available. (b) Timing structure is known and the TTO procedure is used.

out and the behavior is that shown in Fig. 8(a) where we can observe that a partial deadlock occurs. In fact, transition may initially fire, but in the sequel only and may alternately fire. On the contrary, is always disabled by the controller because the marking of has not been reconstructed and its firing may potentially violate the specification. Now, let us assume that the timing structure is known and the TTO procedure is applied. In such a case the partial deadlock can be solved and the net evolution is that shown in Fig. 8(b). At , first transition is disabled by the controller, i.e., . Thus, at time since no transition and keeps the same fires, the TTO procedure is invoked. The set but the marking estimate is improved. In particular, we reconand . After one more unit of struct the marking of places time transition fires: once again we improve the marking es. On the contrary, at time timate but we still have that the TTO procedure is applied and all transitions become control enabled. Note that at this step, when we update the marking estimate, we completely reconstruct the actual marking of the net. As a final remark, we present a result showing that with respect to total deadlocks the two procedure have the same power. controlled Theorem 25: Let us consider a net system with observer with current set of consistent markings . The net system is deadlocked when controlled with the TTO procedure if and only if it is deadlocked when controlled with the NTO. Proof: (if) First we show that if the net deadlocks using the NTO procedure it also deadlocks using the TTO procedure. It the net deadlocks using the NTO procedure, Algorithm 17 is invoked but we always execute step 5.b, until the algorithm stops at step 4 with the maximal control pattern and no transition enabled by it may fire.

To prove this, we first observe that the function is monowith , tone. In fact, given two control patterns and . This implies that then . Let us define as the set of transitions control enabled by and the corresponding induced subnet. When the updated is computed, only a subset of control vector the correthese transitions has timed out and, if we define sponding induced subnet, by Proposition 9 we have that

(21) We now prove by induction that (20) holds for all values of . In fact . Assume now . Then by (21) and by the monotonicity property, we also have . that (only if) We show that if the net does not deadlock using the NTO procedure then it also does not deadlock using the TTO procedure. This result trivially follows from the fact that if we wait a sufficiently long time, then all transitions eventually time . out and To conclude, we present a very simple example showing that in some cases the TTO procedure does not preserve the liveness of the system. Example 26: Let us consider the Petri net system in Fig. 9 . The initial whose unknown initial marking is macromarking is and let us assume that the controller must enforce the speciand . fications: The controlled net is live if the controller exactly knows the actual marking. As an example, given the marking in figure, the controller disables and enables transition . On the contrary, regardless of the timing structure, the controlled net is dead if the observer is included in the closed loop. it is In fact, from the macromarking equation impossible to know whether or is initially marked, hence both and must be control disabled. When transition times

GIUA et al.: OBSERVER-BASED STATE-FEEDBACK CONTROL

out, no additional information on the location of the token in the can be inferred and the recovery procedure fails. set VIII. CONCLUSIONS In this paper we have dealt with the problem of enforcing a set of GMEC on a timed Petri net by a state feedback control under the assumption that the system state is not measurable but can only be estimated. We showed by means of an example that the use of an estimate instead of the actual marking, may lead to a deadlock even if the controlled system is live. In the case that the net system is structurally bounded, we propose an algorithm that accelerates the state estimation and helps us to detect the observer induced deadlock. We first consider the case in which no information on the timing structure is known, then we show how the procedure may be modified when the delays associated to transitions are known. We also prove that this information may also be used to improve the marking estimate and to recover the net from partial deadlocks.

29

[14] J. Park and S. A. Reveliotis, “Deadlock avoidance in sequential resource allocation systems with multiple resource acquisitions and flexible routings,” IEEE Trans. Automat. Contr., vol. 46, pp. 1572–1583, Oct. 2001. [15] F. Di Cesare, G. Harhalakis, J. M. Proth, M. Silva, and F. B. Vernadat, Practice of Petri Nets in Manufacturing. London, U.K.: Chapman and Hall, 1993. [16] A. Ramírez-Treviño, I. Rivera-Rangel, and E. López-Mellado, “Observer design for discrete event systems modeled by interpreted Petri nets,” in Proc. 2000 IEEE Int. Conf. Robotics Automation, Apr. 2000, pp. 2871–2876. [17] W. Reisig, Petri Nets an Introduction. New York: Springer-Verlag, 1982. [18] M. Silva and J. M. Colom, “On the computation of structural synchronic invariants in P/T nets,” in Advances in Petri Nets 1988. New York: Springer-Verlag, 1989. [19] S. Takai, T. Ushio, and S. Kodama, “Static-state feedback control of discrete-event systems under partial observation,” IEEE Trans. Automat. Contr., vol. 40, pp. 1950–1955, Nov. 1995. [20] K. Yamalidou, J. O. Moody, M. D. Lemmon, and P. J. Antsaklis, “Feedback control of Petri nets based on place invariants,” Automatica, vol. 32, no. 1, 1996. [21] L. Zhang and L. E. Holloway, “Forbidden state avoidance in controlled Petri nets under partial observation,” in Proc. 33rd Allerton Conf., Monticello, IL, Oct. 1995, pp. 146–155.

REFERENCES [1] K. Barkaoui, A. Chaoui, and B. Zouari, “Supervisory control of discrete event systems using structure theory of Petri nets,” in Proc. 1997 IEEE Int. Conf. Systems, Man, Cybernetics, Orlando, FL, Oct. 1997, pp. 3750–3755. [2] F. Basile, P. Chiacchio, A. Giua, and C. Seatzu, “Deadlock recovery of controlled Petri net models using observers,” in Proc. 8th IEEE Int. Conf. Emerging Technologies Factory Automation, Antibes, France, Oct. 2001, pp. 441–449. [3] F. Basile, A. Giua, and C. Seatzu, “Petri net control using event observers and timing information,” in Proc. 41st IEEE 2002 Conf. Decision Control, Las Vegas, NV, Dec. 2002, pp. 787–792. [4] F. Chu and X. Xie, “Deadlock analysis of Petri nets using siphons and mathematical programming,” IEEE Trans. Robot. Automat., vol. 13, pp. 793–804, June 1997. [5] J. Ezpeleta, J. M. Colom, and J. Martinez, “A Petri net based deadlock prevention policy for flexible manufacturing systems,” IEEE Trans. Robot. Automat., vol. 11, pp. 173–184, Feb. 1995. [6] A. Giua, F. DiCesare, and M. Silva, “Generalized mutual exclusion constraints on nets with uncontrollable transitions,” in Proc. 1992 IEEE Int. Conf. Systems, Man, Cybernetics, Chicago, IL, Oct. 1992, pp. 974–979. [7] A. Giua and C. Seatzu, “Observability of place/transition nets,” IEEE Trans. Automat. Contr., vol. 47, pp. 1424–1437, Sept. 2002. [8] L. E. Holloway, B. H. Krogh, and A. Giua, “A survey of Petri net methods for controlled discrete event systems,” Discrete Event Syst., vol. 7, pp. 151–190, 1997. [9] Y. Li and W. M. Wonham, “Controllability and observability in the statefeedback control of discrete-event systems,” in Proc. 27th Conf. Decision Control, Austin, TX, Dec. 1988, pp. 203–207. [10] , “Control of vector discrete-event systems—Part I: The base model,” IEEE Trans. Automat. Contr., vol. 38, pp. 1215–1227, Aug. 1993. [11] , “Control of vector discrete-event systems—Part II: Controller synthesis,” IEEE Trans. Automat. Contr., vol. 39, pp. 512–531, Mar, 1994. [12] J. O. Moody and P. J. Antsaklis, “Petri net supervisors for DES with uncontrollable and unobservable transitions,” IEEE Trans. Automat. Contr., vol. 45, pp. 462–476, Mar. 2000. [13] T. Murata, “Petri nets: Properties, analysis and applications,” Proc. IEEE, vol. 77, pp. 541–580, Apr. 1989.

Alessandro Giua (S’90–M’92) received the Laurea degree in electrical engineering from the University of Cagliari, Cagliari, Italy, in 1988 and the M.Sc. and Ph.D. degrees in computer and systems engineering from Rensselaer Polytechnic Institute, Troy, NY, in 1990 and 1992, respectively. He joined the Department of Electrical and Electronic Engineering of the University of Cagliari in 1993, and is currently Associate Professor of Automatic Control. He has been a Visiting Researcher at the: Universidad de Zaragoza (Spain), INRIA Rocquencourt e Lorraine (France), Université d’Angers (Francia), Université de Metz (France), and CINVESTAV Guadalajara (Mexico). His current research interests include control engineering, discrete-event systems, hybrid systems, automated manufacturing, and Petri nets.

Carla Seatzu was born in Cagliari, Italy, in 1971. She received the Laurea degree (M.Sc.) in electrical engineering and the Ph.D. degree in electronics engineering and computer science from the University of Cagliari, Cagliari, Italy, in 1996 and 2000, respectively. She is currently Assistant Professor of Automatic Control in the Department of Electrical and Electronic Engineering at the University of Cagliari. Her research interests include discrete-event systems, Petri nets, hybrid systems, decentralized control of open-channels, control of mechanical systems.

Francesco Basile (S’94–M’02) was born in Naples, Italy, in 1971. He received the Laurea degree in electronic engineering and the Ph.D. degree in electronic engineering and computer science from the University of Naples in 1995 and 1999, respectively. In 1999, he was Visiting Researcher for six months with the Departamento de Ingenieria Informatica y Systems of the University of Zaragoza, Zaragoza, Spain. He is currently Assistant Professor of Automatic Control in the Dipartimento di Ingegneria dell’Informazione e Ingegneria Elettrica at the University of Salerno, Salerno, Italy. His current research interests are modeling and control of discrete-event systems, automated manufacturing, and robotic.